What is a MITM attack?
In cryptography and computer security, a man-in-the-middle attack (MITM) is an attack where the attacker secretly relays and possibly alters the communications between two parties who believe that they are directly communicating with each other. One example of a MITM attack is active eavesdropping, in which the attacker makes independent connections with the victims and relays messages between them to make them believe they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all relevant messages passing between the two victims and inject new ones. This is straightforward in many circumstances; for example, an attacker within reception range of an unencrypted wireless access point (Wi-Fi) could insert themselves as a man-in-the-middle.https://en.wikipedia.org/wiki/Man-in-the-middle_attack
There are several types of MITM attacks out there: some at a low level (e.g. MAC address or IP spoofing, ARP Poisoning and wireless de-auth methods to name a few) and at higher levels such as DNS redirection, session hijacking, SSL stripping, etc. Some of these can be stopped via the network infrastructure, others not. In this post I’ll focus on just the wired LAN side of things. In future posts I’ll dig into wireless networks and move up the stack to sessions and SSL/TLS. Finally, I’ll discuss a paper I read recently regarding potential vulnerabilities in the implementations of Elliptic Curve Cryptography (ECC) algorithms. Leave a comment with your vote for which you’d like to see next!
There are two main types of attacks at Layer 2/3. The first type being Endpoint or spoofing attacks, where the target is tricked into sending traffic to the attacker who then forwards the traffic to the original or a changed destination. The second type is an known as an in-line attack, where a device is physically placed on the wire in the path of traffic and modifies or just passively monitors the traffic.
One of the most well-know tools for performing a endpoint MITMs attack on a LAN is Ettercap. Here are few examples of the options as shown in the CLI and GUI:
kali:~$ ettercap -P list ettercap 0.8.2 copyright 2001-2015 Ettercap Development Team Available plugins : arp_cop 1.1 Report suspicious ARP activity autoadd 1.2 Automatically add new victims in the target range chk_poison 1.1 Check if the poisoning had success dns_spoof 1.2 Sends spoofed dns replies dos_attack 1.0 Run a d.o.s. attack against an IP address dummy 3.0 A plugin template (for developers) find_conn 1.0 Search connections on a switched LAN find_ettercap 2.0 Try to find ettercap activity find_ip 1.0 Search an unused IP address in the subnet finger 1.6 Fingerprint a remote host finger_submit 1.0 Submit a fingerprint to ettercap's website fraggle_attack 1.0 Run a fraggle attack against hosts of target one gre_relay 1.0 Tunnel broker for redirected GRE tunnels gw_discover 1.0 Try to find the LAN gateway isolate 1.0 Isolate an host from the lan link_type 1.0 Check the link type (hub/switch) mdns_spoof 1.0 Sends spoofed mDNS replies nbns_spoof 1.1 Sends spoof NBNS replies & sends SMB challenges with custom challenge pptp_chapms1 1.0 PPTP: Forces chapms-v1 from chapms-v2 pptp_clear 1.0 PPTP: Tries to force cleartext tunnel pptp_pap 1.0 PPTP: Forces PAP authentication pptp_reneg 1.0 PPTP: Forces tunnel re-negotiation rand_flood 1.0 Flood the LAN with random MAC addresses remote_browser 1.2 Sends visited URLs to the browser reply_arp 1.0 Simple arp responder repoison_arp 1.0 Repoison after broadcast ARP scan_poisoner 1.0 Actively search other poisoners search_promisc 1.2 Search promisc NICs in the LAN smb_clear 1.0 Tries to force SMB cleartext auth smb_down 1.0 Tries to force SMB to not use NTLM2 key auth smurf_attack 1.0 Run a smurf attack against specified hosts sslstrip 1.1 SSLStrip plugin stp_mangler 1.0 Become root of a switches spanning tree
In-Line attacks can be performed with custom-made devices like the Hak5 Plunder Bug pictured below or a Raspberry Pi with a USB Ethernet adapter.
Now, let’s take a look at Vesper, an interesting new tool for detecting these attacks.
Detection via echo analysis using Vesper
Vesper is a novel plug-and-play MitM detector for local area networks. Vesper uses a technique inspired from the domain of acoustic signal processing. Analogous to how echoes in a cave capture the shape and construction of the environment, so to can a short and intense pulse of ICMP echo requests model the link between two network hosts. Vesper sends these probes to a target network host and then uses the reflected signal to summarize the channel environment (think sonar). Vesper uses machine learning to profile the link with each host, and to detect when the environment changes. Using this technique, Vesper can detect MitM attacks with high accuracy, to the extent that it can distinguish between identical networking devices.https://github.com/ymirsky/Vesper
This really got my propeller spinning. Mimicking the echolocation used by bats, this tool sends a burst of pings (ICMP ECHOs) of various sizes at random timings to a target host. The responses are then measured and key features extracted from the signal. The features are used to create a signature representing the host. Any MITM device (or really any substantive change) in the path between the two, either physically via a bridge like the “Plunder Bug” above or virtually via L2 redirection via ettercap will cause the signature to change and thus raise an alarm. This is pretty cool and the math behind it is awesome. I wonder how sensitive this method is to noise caused by electrical disturbances such as crosstalk or even a loose RJ-45 connector? This method could be useful on closed networks as an alternative/additional method to physical inspection.
Mitigation via proper switch configuration
Of these attack types, most of the Endpoint variants are easily mitigated through configuration of core security functions available in the Cisco Catalyst switch family. While these may be table-stakes for enterprise networks, not all networks or switches utilize
- Dynamic ARP inspection (DAI)
- DHCP Snooping
- IP Source Guard
- storm control
Configuration details for each of these features can be found here:
The in-line bridging variant is best defended against by the use of good physical security measures, including cable locks, secured telecom closets, etc. Further, 802.1x along with MACsec (802.1AE) can be used authenticate the connected endpoints and encrypt the traffic at L2 between the client and the switchport, effectively making captured traffic useless. Of course, the higher level traffic should also be encrypted, but I’ll save that for another post.